Andy Cox and Tom Bryant explain how data analytics is improving the internal audit process, and why it's important actuaries get to grips with it.

As the availability of data increases and powerful tools for analysis become cheaper and more accessible, internal audit is expanding its use of data analytics to replace or enhance traditional ways of assessing controls. Auditors are improving the efficiency and reach of their testing to give greater insight into the risks faced by businesses. Insurers now use data science specialists, and often have teams of data specialists. A recent survey of UK insurers' audit departments suggests there are two key ways in which data analytics are being used: 100% sampling, and highlighting challenging areas.
100% sampling
Traditionally, auditors have used sampling techniques to test characteristics of populations. For example, faced with the population of payments made by an insurer in a year, an auditor would establish an appropriate sample size and then use a selection methodology to pick the sample. The sample would then be tested to confirm each payment had been initiated and approved by appropriate staff within the firm. This situation is problematic for a number of reasons - the large number of payments requires a significant sample size, the controls may not be homogenous across the sample, and the testing results give limited insight.
Data can be downloaded and interrogated more easily than ever before, so auditors can now check years' worth of payments using analysis tools. The payments can be downloaded to a data manipulation tool and other data tables can be joined, using database tools to enhance checking. For example, the ledger may contain staff numbers of those involved in making the payments; these staff numbers can be automatically linked to an HR data table containing up-to-date information on staff seniority and department. The auditor can therefore check that all payments have been made by a person from the appropriate department for the payment type concerned. A check can also be made to ensure the approver is the more senior of the two parties - a fraud red flag being where a junior person reporting to a more senior person is coerced into approving an inappropriate payment. This can be done for hundreds or thousands of payments, rather than what might have been dozens under the traditional manual sampling methods. The resulting exception list may not, of course, reveal any fraud - but it can identify areas of concern or provide assurance that controls are working effectively, providing comfort to audit committees.
Highlighting challenging areas
Sometimes it is necessary to pick a sample in order to understand whether a control is working. Data analytics can help to focus sample testing on those areas that may be higher risk. One of the more interesting cases we've come across involves voice recognition on customer phone calls to a financial services firm. There are now increasingly accurate tools in existence that can recognise the key topics being discussed in a call, as well as caller sentiments such as anger or dissatisfaction. These tools use now-familiar techniques, but in powerful combinations; the customer call is first converted to written text which can then be analysed. The word cloud in Figure 1 shows the most commonly mentioned words in customer calls to a firm; the bigger the font, the more the words have been mentioned. Key words can be identified and/or scored, and a sentiment score can be calculated via a publicly available dictionary that categorises words as having either a negative or positive sentiment. This, in turn, can be used to assess whether the customer is making a complaint. Counts of certain 'trigger' words, as seen in Figure 2, can also be used to identify potentially vulnerable customers who need to be treated appropriately. As shown in Figure 3, internal audit can then investigate whether calls involving complaints and/or a vulnerable customer have been dealt with appropriately. As costs fall and cloud-based technologies become increasingly accessible, what was leading-edge is rapidly becoming normal practice.



Where can actuaries help?
A survey on which profession is best at data analytics was recently conducted with members of the Internal Actuarial Auditors Network (IAAN). Nearly 75% of the surveyed group said that data scientists are the best at data analytics, while approximately 25% chose actuaries. The remaining professions on the list - accountants and auditors - made up less than 1% of answers. The survey is likely to be biased in that it was completed by actuaries, but it gives an indication of the perceptions people have of each profession.
Actuaries recognise their abilities within data analytics, but also credit data scientists for having capabilities beyond those that are traditionally part of actuarial training. Accountants and operational auditors have some training to do if they want to be seen as leaders in data analytics. One observation is that actuaries are good at coming up with the original ideas for data analytics in internal audit; they usually know the business model well and can come up with ideas for spotting potential issues. However, they do need to develop their skills so they can produce polished graphics that are accessible to those outside an area of expertise - for example an audit committee receiving internal audit reports.
If you are audited this year, do actively engage in the data analytics discussion. Data analytics in audits can help you demonstrate to stakeholders that controls are working well, and new data science and visualisation techniques can provide insight in areas that were previously too expensive or time consuming to explore. Actuaries must ensure that communication of the results is tailored to the non-technical audience. Working in a diverse team may help actuaries develop these skills and make significant contributions to the audit process.
The Internal Audit Actuarial Network (IAAN)is an informal meeting of actuaries working in internal audit within UK insurance offices. It usually meets three times a year to discuss areas of common interest. If you are an insurance actuary working in internal audit and are interested, please contact: [email protected]
Andy Cox is an actuary and audit manager at Legal & General GroupDelhi
Tom Bryant is a chartered accountant and head of audit for Retirement & Group Finance at Legal & General GroupDelhi